Group-IB analysts have released new intelligence on MuddyWater, the Iranian state-sponsored APT linked to Tehran’s Ministry of Intelligence and Security (MOIS). The report highlights the group’s shift in tactics, tools, and infrastructure, signaling a continued rise in operational sophistication.
According to the report, “The group has significantly reduced its widespread Remote Monitoring and Management based intrusions (RMM), reverting to a more targeted operational approach.” While RMM tools such as SimpleHelp, Atera, and ScreenConnect were widely abused in 2024, 2025 has seen a pivot back to spearphishing and custom backdoors.
MuddyWater now relies heavily on custom malware families, including Phoenix, StealthCache, BugSleep, and Fooder, as well as PowerShell-based implants.
The report identifies several newly weaponized tools:
- BugSleep – a C/C++ backdoor capable of file transfers, interactive shells, and persistence tasks, widely deployed in 2024.
- StealthCache – an advanced backdoor with credential theft capabilities and anti-analysis features, observed communicating via unique HTTP(S) endpoints.
- Phoenix – a lightweight backdoor that uses PowerShell for persistence and communicates with C2 servers through periodic “/iamalive” beacons.
- Fooder – a sophisticated loader using DLL side-loading and multi-threading to evade detection.
Group-IB notes: “Multiple new malware variants and tools have been observed to be weaponised by MuddyWater: StealthCache, Phoenix, Fooder, LiteInject, and others.”
The analysts uncovered a deliberate mix of mainstream cloud and bulletproof hosting providers to complicate attribution. “Infrastructure analysis has revealed active use of Amazon Web Services (AWS) for hosting malicious assets, and Cloudflare services have been leveraged to hide infrastructure fingerprints and impede analysis.” Providers such as DigitalOcean, OVH, M247, and Stark Industries were also linked to MuddyWater activity.
Despite these precautions, the group continues to make OPSEC mistakes, such as reusing TLS certificates and domains, which has allowed researchers to track them across campaigns.
MuddyWater’s operations remain closely aligned with Iranian geopolitical goals. “MuddyWater represents a sophisticated Advanced Persistent Threat (APT) group. It is believed to be operating under Iran’s Ministry of Intelligence and Security (MOIS), functioning as a critical component of Tehran’s offensive cyber capabilities.”
The group’s targeting spans telecommunications, government, defense, energy, and critical infrastructure, with activity increasingly observed in Europe and the United States.
Group-IB concludes that “MuddyWater will remain a persistent and adaptive threat, especially in regions and sectors tied to Iranian strategic interests.” With a growing arsenal of custom backdoors, weaponized open-source tools, and resilient infrastructure, the group is demonstrating a sustained ability to evolve and outpace defensive measures.
- DCHSpy Android Spyware Linked to Iran’s MuddyWater APT, Targets Geopolitical Foes with Starlink Lures
- Phoenix Contact Industrial Switch Exposes High Risk Vulnerabilities
- Critical Vulnerabilities Found in Phoenix Contact Charging Controllers
- Critical Flaws in Phoenix Contact EV Charging Controllers Expose Infrastructure to Remote Code Execution and Unauthorized Access
- Phoenix (CVE-2025-6202): A New Rowhammer Attack Bypasses DDR5 Protections
